API Security Organizations

These are the organizations I come across in my research who are doing interesting things in the API space. They could be companies, institutions, government agencies, or any other type of organizational entity. My goal is to aggregate so I can stay in tune with what they are up to and how it impacts the API space.


Akamai Technologies, Inc. is a content delivery network or CDN and cloud services provider headquartered in Cambridge, Massachusetts, in the United States. Akamai's content delivery network is one of the world's largest distributed computing platforms, responsible for serving between 15 and 30 percent of all web traffic. The company operates a network of servers around the world and rents capacity on these servers to customers who want their websites to work faster by distributing content from locations close to the user

Arxan Technologies

Arxan Technologies is an American technology company specializing in anti-tamper protections for software. The company reports that applications secured by it are running on over 500 million devices.

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With AWS Certificate Manager, you can quickly request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let AWS Certificate Manager handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.

AWS Config

AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.

AWS Directory Service

AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. The Microsoft AD service is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features such as Group Policy, trusts, and single sign-on. With Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to a domain, and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.

AWS Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

AWS Key Management Service

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

AWS Security Token Service

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

AWS Snowball

Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns. Transferring data with Snowball is simple, fast, secure, and can be as little as one-fifth the cost of high-speed Internet. With Snowball, you don’t need to write any code or purchase any hardware to transfer your data. Simply create a job in the AWS Management Console and a Snowball appliance will be automatically shipped to you*. Once it arrives, attach the appliance to your local network, download and run the Snowball client to establish a connection, and then use the client to select the file directories that you want to transfer to the appliance. The client will then encrypt and transfer the files to the appliance at high speed. Once the transfer is complete and the appliance is ready to be returned, the E Ink shipping label will automatically update and you can track the job status via Amazon Simple Notification Service (SNS), text messages, or directly in the Console. Snowball uses multiple layers of security designed to protect your data including tamper-resistant enclosures, 256-bit encryption, and an industry-standard Trusted Platform Module (TPM) designed to ensure both security and full chain-of-custody of your data. Once the data transfer job has been processed and verified, AWS performs a software erasure of the Snowball appliance.


AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules. With AWS WAF you pay only for what you use. AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments. You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution or the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2. 

Azure Key Vault

Azure Key Vault offers an easy, cost-effective way to safeguard keys and other secrets in the cloud by using hardware security modules (HSMs). Protect cryptographic keys and small secrets like passwords with keys stored in HSMs. For added assurance, import or generate your keys in HSMs that are certified to FIPS 140-2 level 2 and Common Criteria EAL4+ standards, so that your keys stay within the HSM boundary. Key Vault is designed so that Microsoft does not see or extract your keys. Create new keys for Dev-Test in minutes and migrate seamlessly to production keys managed by security operations. Key Vault scales to meet the demands of your cloud applications without the hassle required to provision, deploy, and manage HSMs and key management software.

Brian Krebs

Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. 

Carbon Black

Carbon Black is the top choice among serious security professionals. Carbon Black delivers the industry’s most complete endpoint security platform. Whatever your endpoint security needs and goals, and wherever you’re starting, we can help.

Cisco Continuum

Continuum is a tailored view of the security industry and its most notable stories and news. Here you will find the updates and conversations that are driving the future of the industry. Security is a fascinating, swift moving industry that effects every other, and we are all players within it.


CloudFlare, Inc. is a U.S. company that provides a content delivery network and distributed domain name server services, sitting between the visitor and the CloudFlare user's hosting provider, acting as a reverse proxy for websites. Its network protects, speeds up, and improves availability for a website or mobile application with a change in DNS. 


Cobalt offers you agile time-limited security assessments as well as ongoing bug bounty programs - the choice is yours. With our Bug Bounty Programs, you pay per bug, not per hour, and you set the bounty sizes as you think appropriate.
You can choose from public or private programs. We can also manage your program for you.

Crosscheck Networks

Crosscheck Networks is the global leader in API Testing, Simulation, and Gateway technologies with product deployments in over 50,000 customer networks worldwide. Comprehensive API testing includes functional automation, performance, compliance and security testing with patented dynamic mutation technology.


CrowdStrike is a cybersecurity technology firm pioneering next-generation endpoint protection, delivered as a single integrated cloud-based solution. CrowdStrike’s Falcon platform stops breaches by detecting all attacks types, even malware-free intrusions, providing five-second visibility across all current and past endpoint activity while reducing cost and complexity for customers. CrowdStrike’s Falcon platform is delivered via the security industry’s only 100% native cloud architecture, integrated with 24/7 managed hunting capabilities and in-house threat intelligence and incident response teams. CrowdStrike’s unique Threat Graph harnesses the cloud to instantly analyze data from billions of endpoint events across a global crowdsource community, allowing detection and prevention of attacks based on patented behavioral pattern recognition technology.

Dark Reading

Long one of the most widely-read cyber security news sites on the Web, Dark Reading is now the most trusted online community for security professionals like you. Our community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Dome9 Security

Dome9 is the leading cloud firewall management service.Their patent-pending security automation creates a strong, front-line defense that stops zero-day vulnerabilities and exploits, secures remote access, and centralizes policy management. Available for the enterprise and hosting providers, Dome9 automates security policy management for cloud, dedicated, and Virtual Private Servers (VPS). Their sophisticated security management platform controls Amazon EC2 & VPC Security Groups, as well as any OpenStack, CloudStack, Eucalyptus, and VMware vCloud-based private and public clouds.

Duo Security

Duo Security enables protected login and transactional functions for smartphones users. It does this by sending users authorization verification from web-based platform to their phones, in addition to their login. Their REST API provides integration to their two-factor authentication process. It is a RESTful API, and returns JSON (defaut), BSON, and XML responses.


We are a group of hackers passionate about improving the security posture of companies, tech startups in particular. We have previously worked at some of the biggest internet companies, enterprise software and tech startups in domains of video, ads, media, distributed systems and machine learning. In the last few months, we have discovered severe vulnerabilities in almost all Indian startups including Ola, Zomato, Jabong, Bigbasket etc. We are based out of Bangalore, India.

Farsight Security

Get critical, comprehensive contextual information needed by Security, Security Operations Center (SOC) and Incident Response (IR) teams to take appropriate actions to investigate, mitigate and avoid threats. As early as 2007, Farsight Security's founders, led by Internet pioneer Dr. Paul Vixie, recognized that real-time, ground-truth observations of global Internet activity, particularly passive observations of the use of the Domain Name System (DNS), could help the security community immensely. DNS, which maps domain names to IP addresses and other Internet infrastructure resources, is the lifeline of the Internet.


Firebase is a mobile platform that helps you quickly develop high-quality apps, grow your user base, and earn more money. Firebase is made up of complementary features that you can mix-and-match to fit your needs.

Forum Systems

Forum Systems is the global leader in API Security Management with industry-certified, patented, and proven products deployed in the most rigorous and demanding customer environments worldwide for over 15 years.

Google Safe Browsing

The Safe Browsing APIs (v4) let your client applications check URLs against Google's constantly updated lists of unsafe web resources. Examples of unsafe web resources are social engineering sites (phishing and deceptive sites) and sites that host malware or unwanted software. Any URL found on a Safe Browsing list is considered unsafe.

Google Site Verification

The Google Site Verification API lets you develop applications or services that automate the process of verifying that the authenticated user owns a domain or website. This is important, since some Google services can only be used by site owners.

IDrive Online Backup

Built with developers in mind, IDrive Encrypted Versioned file System is a powerful, easy to use service that provides secure, encrypted and versioned cloud storage. Unlike other generic storage systems, IDrive EVS has storage encryption, versioning and block level incremental transfers built in both-ways for uploads and downloads. This gives you the freedom to develop innovative applications to customize your Backup, Storage, Sync, Sharing, Disaster recovery and more that are highly efficient, scalable and require minimal coding. It provides powerful APIs for uploading, retrieving, managing data and storage, at any time, from anywhere on the Internet.

Infosec Institute

InfoSec Institute was founded in 1998 by an expert team of information security instructors. Their goal was to build a business by offering the best possible training experience for students. We felt that by providing the best possible hands on training, the most practical for today’s demanding workplace requirements, that the business would grow by leaps and bounds.

IT Security Guru

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Light Blue Touchpaper

Light Blue Touchpaper is a weblog written by researchers in the Security Group at the University of Cambridge Computer Laboratory. Read here brief and timely essays on recent developments and topics related to computer security, including pointers to interesting new research results and literature, opinions on current developments, commentary on media coverage and other musings.


I’m a security practitioner that has been in computer, network & information security for almost two decades now. I have worked in the financial, military, government, critical infrastructure and health care verticals to name a few.

ManagedMethods Inc

Managed Methods Inc. develops and sells solutions for the governance of cloud services and SOA environments. The company focuses on providing tools that enable visibility and control of Web services in the production environment. It offers CloudGate, a hosted cloud services management solution that delivers security, monitoring, and governance that gives control of Web-based services deployed in public cloud infrastructures. The company also provides JaxView, an SOA management product that provides visibility and control for SOA, and cloud services and APIs. 


With headquarters in San Francisco, MetaCert is the first and only company to provide a security solution that protects consumers from mobile malware and phishing attacks on the app-layer. MetaCert is also the first and only company to provide a Security API to help developers stop pornography from appearing inside their apps.


We verify the source of each session and validate that it was generated by humans in your network. Automated processes are whitelisted and anything remaining is malware. Unlike other solutions that rely on intelligence or signatures, our solution can detect and block zero-day malware and the most advanced persistent threats to date. Out of the box would have detected and prevented hacks such as ones to the DNC,OPM,Sony, and others. Metapacket automatically blocks malware and exploitation attempts including from unknown or zero-day threats and generates highly-focused and clear incident reports.


miiCard (My Internet Identity) is a global Identity as a Service solution that proves  ‘you are who you say you are’,  purely online, in minutes and to the same level as a physical passport or photo ID check.  Through a patented process that leverages the trust between an individual and their financial institution, miiCard establishes identity to Level of Assurance 3+ and meets Know Your Customer and Anti-Money Laundering identity guidelines, enabling the sale of regulated products and services purely online.  Combining online identity proofing with strong authentication, miiCard provides the trust and security required for people and businesses to meet and transact with confidence in a purely digital environment.


Mollom is a web service that analyzes the quality of content posted to websites. This includes comments, contact-form messages, blogs, and forum posts. Mollom screens all contributions before they are posted to participating websites.


OpenDNS is a company and service which extends the Domain Name System (DNS) by adding features such as phishing protection and optional content filtering to traditional recursive DNS services. The company hosts a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. 

OWASP API Security Project

This project is designed to address the ever-increasing number of organizations that are deploying potentially sensitive APIs as part of their software offerings. These APIs are used for internal tasks and to interface with third parties. Unfortunately, many APIs do not undergo the rigorous security testing that would render them secure from attack.


Quttera Website Malware Scanner is a website security service that scans websites for malicious and suspicious activity. The Quttera Website Malware API provides real-time website malware monitoring and scanning that allow to act quickly upon active threat detection. 


Red Canary continuously monitors your endpoints, reviews suspicious activity, eliminates false positives and provides the tools and intelligence for rapid response. Red Canary was founded to bring world-class endpoint threat detection and response to every business. We were using the Carbon Black endpoint data recorder for incident response. We realized that the data used for incident response was ideal for detecting cyber threats.

Rest Secured

Rest Secured is a service that helps you easily verify the security of your APIs. It reduces the cost typically associated with expensive audits by leveraging automation, therefore minimizing the manual labor required by traditional penetration testing suites. Rest Secured is used by developers and testing teams. It is designed to be user friendly and requires no prior knowledge about security.


We enable security teams to expand their security programs outside the firewall® to address the growing challenge of external threats targeting the enterprise, its customers, and employees. We’re used by leading financial institutions, insurance providers, and consumers. B2B brands use RiskIQ to protect themselves and their users from code-level threats, malware, phishing, social media attacks and fraud.


Sapience allows you to create an API profile by importing existing API definition - we support over 10 most common formats including Swagger, API Blueprint, Postman etc. Alternatively it's possible to create API profile manually using our wizard.


Designed for the rigors of healthcare, Sfax enables you to send, receive, annotate, digitally sign and manage faxes without printing a single physical document. All your documents are protected by military-grade encryption within our SSAE16 Type 2 data centers.


Secful closes the API security gap with a new approach. Providing comprehensive prevention of API attacks and precise real-time detection, Secful helps enterprises achieve peace of mind.

Shape Security

Global 2000 corporations are currently experiencing millions of automated attacks per day on web and mobile applications. Shape is the industry's leading real-time adaptive application defense platform. Designed for rapid deployment, Shape protects organizations against the most advanced automated attacks that evade traditional security defenses.

Sift Science

Sift Science fights fraud with machine learning. Machine learning teaches a computer to mine data for statistical patterns, and continuously learn and adapt as new data streams in. With simple APIs that take minutes to integrate, an online business can leverage the latest in large-scale machine learning to protect themselves from fraud. Chargebacks, spammers, account takeovers, etc. Online businesses send Sift Science user events, which are mined for identity, behavioral, and network patterns that correspond to past fraud. Sift Science also pools fraud patterns across its network of customers. The network strengthens as more data streams in. Customers can also “train their own model” and tailor their results via a simple interface.


Signifyd helps e-commerce businesses sell confidently while protecting them from fraud. We simplify fraud prevention with tools and expertise built on our years of experience at PayPal, RSA, Fraud Sciences and FedEx. We know how to interpret a user's digital footprint and bridge the gap between Online and Offline Identity. And we know how to do it without creating friction for legitimate users.

SmartBear Software

SmartBear Software provides tools for over 100,000 software professionals to build, test, and monitor some of the best software applications and websites anywhere on the desktop, mobile and in the cloud.


StackPath is the intelligent web services platform for security, speed and scale. It is the first platform to unify enterprise security solutions by leveraging collaborative intelligence that makes each service smarter and more secure with every threat detected, in addition to vastly improving the customer experience. More than 30,000 customers, ranging from Fortune 100 companies to early stage startups already use StackPath technology. Headquartered in Dallas, Texas, StackPath has offices across the U.S. and internationally.


Stormpath is an authentication and user management service that helps development teams quickly and securely build web and mobile applications and services. With the Stormpath API, you can add a user management layer to simple or complex applications, with little custom code.


A scalable open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.


ThreatConnect, Inc. is the leading provider of advanced threat intelligence products and services including ThreatConnect®, the most comprehensive Threat Intelligence Platform (TIP) on the market. ThreatConnect delivers a single platform in the cloud and on-premises to effectively aggregate, analyze, and act to counter sophisticated cyber-attacks. Leveraging advanced analytics capabilities ThreatConnect offers a superior understanding of relevant cyber threats to business operations. 


Threatpost, The Kaspersky Lab security news service, is an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.

UMBC Ebiquity Research Group

The UMBC Ebiquity Research Group consists of faculty and students from the Department of Computer Science and Electrical Engineering (CSEE) of University of Maryland, Baltimore County (UMBC), located in Baltimore MD.


Biometric Security Ltd. develops and markets biometric voice verification system. It offers VoiceVault, which verifies an individual’s identity on phone or Internet, and develops voiceprints. The company's product is used for business applications, including procurement, payment authorization, and corporate security. It also serves banks, insurers, and government agencies.

White Ops

White Ops, Inc. provides online fraud detection solutions. It offers Real Time Dashboard, a solution that enables users to identify, track, and classify automated fraud in real time; and Custom Reporting, a solution that provides traffic analysis reports. The company also provides solutions for that detection of automated or remote access by malware-infected nodes, including fraudulent information access with user credentials, identification of resource-based DDOS, and differentiation between benign and malicious client-based malware. 


Wickr is a secure communications company founded on the belief that access to private communications is a fundamental human right that enables innovation and economic growth, while also empowering democracy. We are committed to constantly improving our best-in-class encryption technology to thwart sophisticated criminal attacks and cyber threats. Our partners and users face these threats daily. Protecting their business data and communications is our purpose. 


Yubico offers best-of-breed authentication solutions across mobile and desktop devices. The company's flagship product, the YubiKey® is an innovative, driverless hardware device that can work seamlessly over NFC and USB to offer anytime, anywhere authentication across a range of consumer and enterprise applications. Yubico offers disruptive open source software and cloud based solutions allowing enterprises to quickly adopt YubiKey based strong authentication for their employees, partners and consumers.

If you think there is an organization I should have listed here feel free to tweet it at me, or submit as a Github issue. Even though I do this full time, I'm still a one person show, and I miss quite a bit, and depend on my network to help me know what is going on.